I'm using
- Spring Boot 2.7.12
- Spring Security 5.8.3
(I did test with Spring Boot 3.1.0, and I am facing the same issue)
Describe the bug
While playing around with Custom DSL, I noticed 2 additional filters are being applied when using custom dsl.
- DefaultLoginPageGeneratingFilter
- DefaultLogoutPageGeneratingFilter
Not exactly sure if this is intended behavior, but I thought it shouldn't be?
To Reproduce
Here's the following code
@Configuration(proxyBeanMethods = false)
@EnableWebSecurity(debug = true)
public class WebSecurityConfig {
@Bean
public SecurityFilterChain docsFilterChain(HttpSecurity http) throws Exception {
return http
// .apply(DummyDsl.dummyDsl())
// .and()
.build();
}
}
public class DummyDsl extends AbstractHttpConfigurer<DummyDsl, HttpSecurity> {
@Override
public void init(HttpSecurity http) throws Exception {
http.formLogin(AbstractHttpConfigurer::disable);
}
public static DummyDsl dummyDsl() {
return new DummyDsl();
}
}When custom dsl is not applied, this is the filter chain
Security filter chain: [
DisableEncodeUrlFilter
WebAsyncManagerIntegrationFilter
SecurityContextHolderFilter
HeaderWriterFilter
CsrfFilter
LogoutFilter
RequestCacheAwareFilter
SecurityContextHolderAwareRequestFilter
AnonymousAuthenticationFilter
ExceptionTranslationFilter
]
But when it is being applied, this is the filter chain
Security filter chain: [
DisableEncodeUrlFilter
WebAsyncManagerIntegrationFilter
SecurityContextHolderFilter
HeaderWriterFilter
CsrfFilter
LogoutFilter
DefaultLoginPageGeneratingFilter
DefaultLogoutPageGeneratingFilter
RequestCacheAwareFilter
SecurityContextHolderAwareRequestFilter
AnonymousAuthenticationFilter
ExceptionTranslationFilter
]
Expected behavior
I should expect that the filter chain should be same across both setup, unless I am missing something (I hope not)?
Sample
You can find the reproduce over at spring-security-custom-dsl-bug
Additional Notes
As the docs isn't very explicit, but can I assume that the custom dsl is used for, or at least, can be used for the purpose of having a common configuration that can be re-use in different SecurityFilterChain?
I'm using
(I did test with Spring Boot 3.1.0, and I am facing the same issue)
Describe the bug
While playing around with Custom DSL, I noticed 2 additional filters are being applied when using
custom dsl.Not exactly sure if this is intended behavior, but I thought it shouldn't be?
To Reproduce
Here's the following code
When
custom dslis not applied, this is the filter chainBut when it is being applied, this is the filter chain
Expected behavior
I should expect that the filter chain should be same across both setup, unless I am missing something (I hope not)?
Sample
You can find the reproduce over at spring-security-custom-dsl-bug
Additional Notes
As the docs isn't very explicit, but can I assume that the
custom dslis used for, or at least, can be used for the purpose of having a common configuration that can be re-use in differentSecurityFilterChain?